bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

out of bounds in bashline.c attempt_shell_completion


From: David Krause
Subject: out of bounds in bashline.c attempt_shell_completion
Date: Tue, 25 May 2004 16:26:11 -0500
User-agent: Mutt/1.4.1i

Configuration Information:
Machine: i386
OS: openbsd3.5
Compiler: cc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i386' 
-DCONF_OSTYPE='openbsd3.5' -DCONF_MACHTYPE='i386-unknown-openbsd3.5' 
-DCONF_VENDOR='unknown' -DSHELL  -DHAVE_CONFIG_H  -I.  
-I/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b 
-I/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/include 
-I/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib  -O2
uname output: OpenBSD celtic.netcentral.net 3.5 NETCENTRAL#2 i386
Machine Type: i386-unknown-openbsd3.5

Bash Version: 2.05b
Patch Level: 0
Release Status: release

Description:
Core was generated by `bash'.
Program terminated with signal 11, Segmentation fault.
#0  0x1c0284e6 in attempt_shell_completion (text=0x3c0697e0 "/usr/loc", 
    start=0, end=8)
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/bashline.c:925
925       if (rl_line_buffer[ti] == '"' || rl_line_buffer[ti] == '\'')
(gdb) bt
#0  0x1c0284e6 in attempt_shell_completion (text=0x3c0697e0 "/usr/loc", 
    start=0, end=8)
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/bashline.c:925
#1  0x1c0442e1 in gen_completion_matches (text=0x3c0697e0 "/usr/loc", start=0, 
    end=8, our_func=0x1c045448 <rl_filename_completion_function>, 
    found_quote=0, quote_char=0)
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/complete.c:794
#2  0x1c04508a in rl_complete_internal (what_to_do=9)
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/complete.c:1486
#3  0x1c043aaa in rl_complete (ignore=1, invoking_key=9)
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/complete.c:322
#4  0x1c04063e in _rl_dispatch_subseq (key=9, map=0x3c02e220, got_subseq=0)
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:580
#5  0x1c0404fa in _rl_dispatch (key=9, map=0x3c02e220)
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:529
#6  0x1c0403b9 in readline_internal_char ()
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:443
#7  0x1c04047d in readline_internal_charloop ()
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:489
#8  0x1c040498 in readline_internal ()
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:503
#9  0x1c040111 in readline (prompt=0x3c069140 "-bash-2.05b# ")
    at 
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:299
#10 0x1c0025d8 in yy_readline_get ()
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:1108
#11 0x1c002539 in yy_getc ()
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:1042
#12 0x1c002d25 in shell_getc (remove_quoted_newline=1)
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:1803
#13 0x1c003710 in read_token (command=0)
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:2414
#14 0x1c00322b in yylex ()
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:2084
#15 0x1c006cb4 in yyparse () at y.tab.c:4700
#16 0x1c00234d in parse_command ()
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/eval.c:217
#17 0x1c002402 in read_command ()
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/eval.c:261
#18 0x1c00219f in reader_loop ()
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/eval.c:128
#19 0x1c0009e6 in main (argc=1, argv=0xcfbf4d3c, env=0xcfbf4d44)
    at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/shell.c:680
#20 0x1c000211 in ___start ()
(gdb) p rl_line_buffer
$1 = 0x3c047000 "/usr/loc"
(gdb) p ti
$2 = -1
(gdb) p rl_line_buffer[ti]
Cannot access memory at address 0x3c046fff.

Repeat-By:
        This crash occurs on both OpenBSD 3.5-stable and 3.5-current when
malloc debugging options are used (ln -s AJFG /etc/malloc.conf).  Trying
to complete "/usr/loc"(tab) will occasionally crash the whole shell.  It
looks like the array index is -1 and then it tries to get the value at
array[-1].

        If you type "/usr/loc" and press tab, then attempt_shell_completion
is called with start=0.  Then the code sets ti = start - 1, which means
ti=-1 and the quote check trys to read rl_line_buffer[-1] going out of
bounds.  It looks this happens on Linux too, albeit without a crash.

David




reply via email to

[Prev in Thread] Current Thread [Next in Thread]